North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Suresh Ramasubramanian
  • Date: Sun Feb 08 21:55:18 2004

Sean Donelan wrote:
But I still don't understand why an ISP unwilling to spend the money
to trace uses with RADIUS or other existing methods; is going to want
to spend money on interfacing their systems with Dynamic DNS servers and
All I'm saying, Sean, is that there should be a quick way (or even an automated way) for the NOC to track down and deactivate trojaned hosts / zombies etc on their network.

Put the MAC address in, or a hashed version of the guy's userid in, or anything else you want [cf: EB Dreger's post].

Or query RADIUS or other methods if you like. As long as it can be automated, and there's a way to immediately parse out the guy's userid and deactivate it ... I don't particularly care. I just suggested one method. Sure, there are several others.

Digital rightes management, password guessing, IRC bans, mail blocks, etc
could work much more effectively if ISPs provided a unique identifier for
subscribers.  If software and hardware vendors included a hard-coded
I never said that unique identifier had to be intelligible to anybody other than the ISP. The 1984-esque scenario is interesting, but not really what I was suggesting.

As you point out, there are a lot of them.  But the goal should be to
NOT have the ISP's staffers handle individual complaints.  Any "solution"
Your staff will still get a ton of complaints. If these can be parsed by a script that looks for virus / trojan strings in the complaint,extracts the IP (or has your NOC dude just click the IP in his ticketing system, like in RT + IRTT) and the account just goes away - then fine.

As long as the user is still active and still able to login to your network, you have a ddos zombie in there.

I assume you are aware that one of the fastest growing trojan segments
includes trojans which can not be detected by port scanners.
Yes. There are stealth trojans. But just looking for sudden peaks of traffic, or other wormsign, might help in such a case.

You are correct that prevention is better than the cure.  Unfortunately
you've misidentified the point of prevention.  The software vendor is
in the best position to prevent systems being compromised.  A change at
You know, I would love it if I had a userbase that was all mac / *nix. Or at least a userbase running windows that would take the time and trouble to at least patch their systems and update their AV definitions once in a while, and which would use something safer than IE + Outlook to surf the web & read their email, like say Firebird + Thunderbird.

If you only have such model users on your network, let me know if you are hiring and I'll immediately send you my CV :) But for want of that ...
The number of spoofed packets received has very little to do with the
number of sources of spoofed packets.  But again, it points out the
lack of hard data.  Yesterday, a red car cut me off, so obviously the
problem is red cars and we should prohibit all red cars.
Analogies do suck, don't they? Try that one with "street illegal souped up muscle car" instead of "red car" and see if it holds. All I said was that the guy running the mirror told me that he got a non trivial number of DoS attempts from sources that used spoofed backets. And as far as I know, there is no reason _not_ to filter spoofed source packets.

1. Easy identifying of hosts, at least to the ISP (to avoid privacy
By whom?  Should anyone be able to identify any host any time, or is it
only necessary for inter-connected providers to identify the next provider
Jesus. The ISP who is providing that IP should have some way to immediately / automatically identify its users who have trojaned PCs and lock them out, something tied to their ticketing system, or to an IDS even, if they are into automated detection of trojans.

3. Proactive network sweeps
Sweeps for what?
open proxies, open relays, those trojans that can be detected by portscans .... but I guess that question was rhetorical.

Of course you meant to say contact the person who sold you your computer
for help fixing your computer.  The police write tickets, they don't
fix cars.
You got it. But then you need to call your ISP to get your IP un-vlaned, or your account reactivated, surely?

5. Cooperation with law enforcement if necessary, to track down and
punish the DDoSer.
Of course, the original issue was PTR records for spam, not DDOS.  But
PTR records for just about everything. The topic seems to have drifted this way (which is good, at least in the nanog context where discussions about spam are apparently to be streng verboten).

Which ISPs are not cooperating with law enforcement?

In the US, if you receive harrassing or threatening phone calls, you have
to file a police report.  The telephone company only provides the
information about the source of the calls to the police for followup.
Look, I do know the drill about handling subpoenas. But that's a bit different from an ISP going after and suing a kiddie who targets their network. Microsoft / SCO offering a bounty to go after the mydoom author sounds like a joke, but yeah, we just might need more such jokes.

How many people file police reports for spam, ddos, etc.
You would (or maybe wouldn't) be surprised.